Date: Thu, 02 Apr 2009 14:09:00 +0200 From: Paolo Pisati <p.pisati@oltrelinux.com> To: Luigi Rizzo <rizzo@iet.unipi.it> Cc: freebsd-ipfw@FreeBSD.org, Dmitriy Demidov <dima_bsd@inbox.lv>, Alex Dupre <ale@FreeBSD.org> Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? Message-ID: <49D4AADC.30900@oltrelinux.com> In-Reply-To: <20090402113231.GB6577@onelab2.iet.unipi.it> References: <200903132246.49159.dima_bsd@inbox.lv> <20090313214327.GA1675@onelab2.iet.unipi.it> <49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com> <20090317190123.GB89417@onelab2.iet.unipi.it> <49C01E08.9050709@oltrelinux.com> <20090317223511.GB95451@onelab2.iet.unipi.it> <49D49AEB.20701@oltrelinux.com> <20090402113231.GB6577@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo wrote: > Can you put a description in the manpage especially on the > assumptions and side effects of the reass option ? > > E.g. as i read it, > + you need to make sure that the fragments are not dropped before > the 'reass' (so you cannot rely on port numbers to decide > accept or deny). This is obvious but a very common mistake; > + reass silently queues the fragment if it does not reass, so it > opens up a bit of vulnerability. Again obvious, but people > won't realise if they don't see the code. > someone else already pointed out that i should mention net.inet.ip.maxfrag*, i'll come up with an updated man page later today. -- bye, P.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49D4AADC.30900>